Crical Infrastructure Reliability Standards for Electric Ulies Issue Brief

SUMMARY 1968; under the 2005 Energy Policy Act, utility The North American Electric Reliability Corporation participation in NERC became mandatory. (NERC) is the organization mandated by the U.S. NERC drafts new or revised CIP reliability standards Energy Policy Act of 2005 and charged by the U.S. though standards-drafting teams consisting of industry Federal Energy Regulatory Commission (FERC) to draft stakeholders, asset owner/operators, and other and enforce reliability standards intended to protect industry subject matter experts. Once a standard is cyber assets of the U.S. bulk- electricity system, completed, NERC members vote, and if it is generally defined as energy generation exceeding approved, NERC sends the draft standard to FERC for 1,500 MW in a single location or energy transmission adoption. FERC can either adopt the standard, return operating at 100 kV or greater. Nearly all energy it to NERC for further work, or seek additional distribution networks, which typically operate at comment from stakeholders before acting. FERC can voltages below 40 kV, along with smart meters and also order NERC to draft a standard, which it has residential service, are outside the scope of NERC and done twice. are regulated at the state and local levels. NERC delegates its authority to monitor and enforce

compliance to seven Regional Entities that audit asset NERC accomplishes its mission through a set of Critical owner/operators: Infrastructure Protection (CIP) reliability standards that are approved by FERC. Once approved, utilities must  Florida Reliability Coordinating Council be compliant by an established date. NERC has (FRCC) authority to assess fines against non-compliant utilities  Midwest Reliability Organization (MRO) in amounts up to $1,000,000 per violation and per day,  Northeast Power Coordinating Council retroactive to the effective date of the standard. NPCC)

UTC POSITION  ReliabilityFirst (RF) As the global association representing the  SERC Reliability Corporation (SERC) telecommunications and critical infrastructure needs  (Texas RE) of the energy and water utility sectors, the Utilities  Western Electricity Coordinating Council Technology Council (UTC) is well positioned to assist its (WECC) members who develop and implement NERC CIP standards. UTC experts understand how the standards NPCC, MRO, and WECC include Canadian impact the Information and Communications provinces because of the international nature of Networks (ICT) owned, operated, and deployed by the interconnected grid (parts of Mexico are also utilities in order to reliably deliver energy and water interconnected to the North American grid. NERC services. UTC also provides educational opportunities CIP standards address definition of cyber assets, on grid security and compliance best practices. electronic perimeters, personnel, information change management, security system BACKGROUND management, information protection, incident NERC was a voluntary organization established in response, recovery planning and physical security. UTC stays ahead of decision-making through involvement with FERC and NERC to: SITUATIONAL AWARENESS For the most part, NERC CIP Reliability Standards  Influence standards development in the best have driven a level of cybersecurity spending that interest of securing our members’ ICT assets; utilities might not otherwise have undertaken. and, Therefore, reliability standards have had a positive impact, bringing attention and funding to protection  Give our members as much advance notice as of critical infrastructures. However, some industry possible of new NERC CIP standards that could stakeholders have conflated compliance with affect the deployment and operation of their security and the two are not equivalent. Compliance ICT. is adherence to a one-size-fits-all list of requirements. UTC provides its members a private forum to Security derives from an asset-based risk discuss the impact of current or proposed assessment that is unique to each utility. The standards upon their ICT assets. UTC assists its uniqueness of each utility’s risk profile means that member utilities with NERC CIP compliance no utility can achieve security solely through through frequent webinars and other educational compliance with regulations. UTC believes that activities. existing NERC CIP requirements have helped bring a much-needed spotlight on utility security. There is, ABOUT UTC however, a point at which regulation ends and UTC is a global trade association dedicated to security begins. serving critical infrastructure providers. Through advocacy, education and collaboration, UTC When regulation can improve utility security across creates a favorable business, regulatory and the board, UTC will support it. If we believe that technological environment for companies proposed new regulation will impose additional that own, manage or provide critical workload without improving security, UTC will offer telecommunications systems in support of their commentary—often in unison with other trade core business. associations—on whether this regulation will improve utility security. UTC’s NERC CIP involvement focuses UTC CONTACTS on areas of the Information and Communications Sharla Artz, Senior Vice President, Government Technology (ICT) assets for our member electric and External Affairs utilities. Email: [email protected]